Iranian Cybercriminals Implement Fresh BugDream Backdoor in Middle East Digital Attacks
A group of cyber attackers from Iran known as MuddyWater has been detected using an unprecedented backdoor as part of its recent assault campaign, veering away from its well-established strategy of deploying lawful remote monitoring and management (RMM) software to maintain continuous access.
According to independent discoveries from cybersecurity companies Check Point and Sekoia, they have dubbed the malware variant as BugDream and MuddySpin, respectively.
“In contrast to previous campaigns, this time MuddyWater altered their infection chain and no longer depended on the legitimate Atera remote monitoring and management tool (RRM) for validation,” Sekoia stated in a report shared with The Hacker News. “Instead, they used a new and unrecorded implant.”
Some aspects of the campaign were initially disclosed by Israeli cybersecurity firm ClearSky on June 9, 2024. The targets include nations such as Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal.
MuddyWater (also known as Boggy Serpens, Mango Sandstorm, and TA450) is a government-backed threat actor linked with Iran’s Ministry of Intelligence and Security (MOIS).
The cyber assaults executed by the group have been somewhat consistent, leveraging targeted email messages with spear-phishing schemes to deliver various RMM tools such as Atera Agent, RemoteUtilities, ScreenConnect, SimpleHelp, and Syncro.
Earlier in April, HarfangLab reported an increase in MuddyWater campaigns distributing Atera Agent since late October 2023 across enterprises in Israel, India, Algeria, Turkey, Italy, and Egypt. The sectors under attack include airlines, IT firms, telecommunications, pharmaceuticals, automotive manufacturing, logistics, travel, and tourism.
“MuddyWater gives high importance to gaining entry to corporate email accounts as part of their ongoing assault campaigns,” the French cybersecurity company observed during that time.
“These compromised accounts serve as valuable resources, allowing the group to enhance the credibility and efficiency of their spear-phishing endeavors, establish continuity within targeted entities, and avoid detection by blending in with genuine network traffic.”
The recent attack sequences follow a similar pattern where compromised email accounts from legitimate businesses are utilized to dispatch spear-phishing messages containing a direct web link or a PDF attachment pointing to an Egnyte subdomain, which has been previously exploited by the threat actor to propagate Atera Agent.
BugDream, known as MuddySpin, is a C-developed x64 implant that can perform tasks such as downloading/uploading arbitrary files to/from the infected system, initiating a reverse shell, and establishing persistence. Communication with a command-and-control (C2) server occurs over a raw TCP socket on port 443.
“The initial message sent to the C2 is the unique fingerprint of the victim host, which consists of the hostname and the username linked with a slash,” Sekoia remarked. “If the victim gets a response of ‘-1,’ the operation ceases; otherwise, the malware enters an infinite loop to await further instructions from the C2.”
The reason behind MuddyWater’s switch to custom implants is presently unclear, although it is presumed that enhanced scrutiny of RMM tools by security providers could be a contributing factor.
“The heightened activity of MuddyWater in the Middle East, especially in Israel, underscores the persistent nature of these threat actors, who continue to target a broad spectrum of victims in the region,” Check Point stated.
“Their consistent use of phishing campaigns, now integrating a bespoke backdoor, BugDream, represents a significant evolution in their techniques, strategies, and methods (TSMs).”
About Author
